CVE-2025-53864
Denial of Service vulnerability in nimbus-jose-jwt (Maven)
What is CVE-2025-53864 About?
Connect2id Nimbus JOSE + JWT versions before 10.0.2 are vulnerable to a denial of service attack. A remote attacker can trigger uncontrolled recursion by supplying a deeply nested JSON object within a JWT claim set, causing the service to become unresponsive. Exploitation is of moderate complexity, relying on crafting a malformed JWT.
Affected Software
- com.nimbusds:nimbus-jose-jwt
- >9.38-rc1, <10.0.2
- <9.37.4
Technical Details
The vulnerability stems from the Connect2id Nimbus JOSE + JWT library's inability to properly handle deeply nested JSON objects within JWT claim sets. When a remote attacker crafts a JWT with an excessively deep JSON structure in its claims, the library's parsing or processing logic enters an uncontrolled recursive state. This recursion rapidly consumes system resources (e.g., stack memory), eventually leading to a stack overflow or similar resource exhaustion, which causes the application to crash or become unresponsive. This denial of service is independent of any underlying JSON parser's capabilities, as the library itself doesn't impose limits on JSON object nesting depth.
What is the Impact of CVE-2025-53864?
Successful exploitation may allow attackers to disrupt services, causing denial of service and making the application or system unavailable to legitimate users.
What is the Exploitability of CVE-2025-53864?
Exploitation involves crafting a malformed JWT with a deeply nested JSON object in its claim set. The complexity is moderate, as it requires knowledge of JWT structure and the ability to generate a valid, yet maliciously crafted, token. Authentication requirements depend on whether the application processes unauthenticated JWTs; if so, no authentication is needed. Otherwise, a valid, even if low-privileged, JWT might be required to be processed by the vulnerable component. This is a remote attack. There are no special conditions beyond the specific structure of the JWT claim set. The likelihood of exploitation increases if the application processes JWTs from untrusted sources or if the library is used in an internet-facing service without input validation on JWT structures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-53864?
Available Upgrade Options
- com.nimbusds:nimbus-jose-jwt
- <9.37.4 → Upgrade to 9.37.4
- com.nimbusds:nimbus-jose-jwt
- >9.38-rc1, <10.0.2 → Upgrade to 10.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch
- https://nvd.nist.gov/vuln/detail/CVE-2025-53864
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested
- https://osv.dev/vulnerability/GHSA-xwmg-2g98-w7v9
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested
- https://bitbucket.org/connect2id/nimbus-jose-jwt
- https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c
- https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b
What are Similar Vulnerabilities to CVE-2025-53864?
Similar Vulnerabilities: CVE-2022-21724 , CVE-2021-43818 , CVE-2020-13936 , CVE-2019-17558 , CVE-2018-1000109
